Nelson Bolyard wrote:
I haven't followed this lengthy discussion in detail but I have for a long time wondered how DNSSEC and SSL-CA-Certs should coexist.Which one will be the "most" authoritative? Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs?DNSSEC only attempts to ensure that you get the (a) correct IP address. It does absolutely nothing to ensure that you actually are connected to the site you wanted. It doesn't obviate SSL or PKI at all.
Is DNSSEC secure enough to make the statement "DNS name www.example.com is signed by CA with fingerprint ABCD"?
If so, a website can publish the expected CA that signed the cert for that website, giving an out of band method to confirm whether the cert presented to the client is legitimate or not.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
